Financial Firms Fight Back Against Phishing

Customer confidence is at stake in the wake of high-profile identity thefts.

Executives at financial institutions are frustrated—very frustrated.

Who can blame them? Theyve spent tons of time and energy building their online infrastructures and the publics confidence in online banking. Now both are being torn apart by phishing: deceptive e-mails and Web site redirection tricks designed to entice users to unwittingly reveal their user names and passwords.

"One of the most valuable things to a financial institution is the relationships they have with customers and the trust embodied in those relationships. Anything that damages that they take as a very serious problem. And phishing is an ongoing assault against the bond of trust that a brand tries to build with a customer," said Mark Durham, communications director at Identity Theft 911, LLC, an identity theft resolution agency based in Scottsdale, Ariz.

"Its not so much the financial losses—actual stolen funds—[that is causing the greatest concern]. Those things are really not that big for most banks. But its the fact that the channel takes a hit," said Jim Bruene, editor of the Online Banking Report, published by Online Financial Innovations in Seattle.

Bruene has been covering the online banking industry for more than 10 years. He said he sees online fraud such as phishing and keylogging (hidden programs that capture a computer users every keystroke) as stunting marketing efforts and the ability to grow the channel.

"How can Citibank send an e-mail to their customers and have them do anything anymore?" asked Bruene.

To restore confidence with customers, a coordinated effort of prevention is under way. "The most important thing is public awareness," said Dale Pupillo, deputy special agent in charge of the Criminal Investigative Division at the Secret Service in Washington. Pupillo works with financial institutions to build awareness, and he said he feels the agency has made a lot of progress.

Unfortunately for users of all awareness levels, new insidious techniques attack Web browsing. A user-controlled, non-e-mail-initiated visit to your online bank can be rerouted completely without your knowledge.

Certain malware that gets onto a users system can change IP addresses inside a users host file or can hide the malicious URL by dropping a JPEG image of a legitimate URL on top of the address bar. And the technique known as pharming spoofs domains by changing addressing within DNS (Domain Name System) servers.

/zimages/3/28571.gifFirst was phishing. Is pharming next? Click here to read more.

Because of these new types of Web-based phishing attacks, education alone is not enough. Consumers need anti-phishing programs on their desktops and at the server level, suggests Simon Clausen, CEO of PC Tools Pty Ltd., in North Sydney, Australia. PC Tools develops Spyware Doctor, which just recently included anti-phishing technology that detects site-redirecting phishing attacks by prescanning all URLs and IP addresses against its whitelisted and blacklisted sites.

Banks cant just rely on others to improve customer relations. Bruene is an advocate of increasing online security for financial institutions.

"There should be something besides user name and password before you can move money out of an account," said Bruene, who for years has been a strong proponent of double-factor authentication.

/zimages/3/28571.gifClick here to read more about two-factor authentication.

Other techniques Bruene recommends for combating phishing include greeting customers by name or through a personalized portal when they visit a banks site. Another option is to ask a "challenge" question when making sensitive transactions such as adding a new payee to an account.

Identity theft can be a direct result of phishing activity. And as a fiduciary duty, Identity Theft 911s Durham urges financial institutions to already have programs and processes in place to deal with identity theft if and when it arises.

"You have to have something in place. Thats because time is of the essence," Durham said. He points to credit unions as being among the best examples of institutions that both educate their members and make identity theft resolution services available—often free to their members.

Fortunately, Durham and others say they are seeing a spirit of cooperation and an intense desire to share resources when it comes to fighting phishing. Law enforcement is working with the private sector—banks and software providers—to develop technical safeguards.

Its not about publicity; its about the consumers, according to CIDs Pupillo, who said he has noticed a change in how the Secret Service is handling these cases.

"In the old days we used to run out and throw the cuffs on somebody and parade them in front of the press as we were walking them into court. Now we work a little bit more behind the scenes to protect the public, and we might not make an arrest. And the case may go on a little bit longer, but our first responsibility is to protect the public," Pupillo said.

David Spark is a freelance writer in San Francisco. He can be reached at

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.